Closed komuw closed 11 months ago
If a malicious person sets bad.com to point to an IP that you own.
bad.com
curl -vkL https://bad.com curl: (35) OpenSSL/3.0.9: error:0A000438:SSL routines::tlsv1 alert internal error
BUT
curl -vkL http://bad.com HTTP/1.1 308 Permanent Redirect Content-Type: text/html; charset=utf-8 Location: https://myGoodDomain.com/ GET / HTTP/2 Host: myGoodDomain.com HTTP/2 200
It succeds. This is because the redirector first checks for non-tls traffic; https://github.com/komuw/ong/blob/96eddd2e26dcb20d0549aeb05d8c4cb56b76ade2/middleware/redirect.go#L20-L31 instead of checking for dns rebinding; https://github.com/komuw/ong/blob/96eddd2e26dcb20d0549aeb05d8c4cb56b76ade2/middleware/redirect.go#L62-L69
If a malicious person sets
bad.comto point to an IP that you own.BUT
It succeds. This is because the redirector first checks for non-tls traffic; https://github.com/komuw/ong/blob/96eddd2e26dcb20d0549aeb05d8c4cb56b76ade2/middleware/redirect.go#L20-L31 instead of checking for dns rebinding; https://github.com/komuw/ong/blob/96eddd2e26dcb20d0549aeb05d8c4cb56b76ade2/middleware/redirect.go#L62-L69